[Bug 586112] New: Sax2 fails with buffer overflow message

older
[Bug 550735] Firefox 3.5 update...

bugzilla_noreply＠novell.com

7 Mar 2010 7 Mar '10

06:23

http://bugzilla.novell.com/show_bug.cgi?id=586112 http://bugzilla.novell.com/show_bug.cgi?id=586112#c0 Summary: Sax2 fails with buffer overflow message Classification: openSUSE Product: openSUSE 11.3 Version: Factory Platform: x86-64 OS/Version: openSUSE 11.3 Status: NEW Severity: Major Priority: P5 - None Component: SaX2 AssignedTo: bnc-team-xorg-bugs@forge.provo.novell.com ReportedBy: linxt@comcast.net QAContact: sax2-maintainer-bugs@forge.provo.novell.com Found By: --- Blocker: --- Created an attachment (id=346975) --> (http://bugzilla.novell.com/attachment.cgi?id=346975) copies of log files and error message User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.0) Gecko/20100115 SUSE/3.6.0-1.8 Firefox/3.6 Attempted to run Sax2 from start menu. Root prompt popup asked for password. Supplied password and Sax2 started to load going to blank screen with suse icon in upper left corner and blinking cursor near lower left corner spinning. After some time, pressed enter and root login console appeared. Tried to run Sax2 from console resulted in same behaviour as above. Tried to run Sax2 in a root terminal resulted in an error message about buffer overflow and two files (devices) not found. See attached error report. Dell Studio 1745, Intel Mobile GM45 express chipset, Intel Mobile 4 series graphic controller, MC13K173WD1 lcd monitor, 4GB RAM Reproducible: Always Steps to Reproduce: 1.Attempt to run Sax2 from either start menu or root terminal 2.Provide root password 3.Sax2 fails with attached error message Actual Results: Sax2 fails to start claiming buffer overflow Expected Results: Sax2 to start and reconfigure display resolution -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

Show replies by date

bugzilla_noreply＠novell.com

7 Mar 7 Mar

15:06

New subject: [Bug 586112] Sax2 fails with buffer overflow message

http://bugzilla.novell.com/show_bug.cgi?id=586112 http://bugzilla.novell.com/show_bug.cgi?id=586112#c1 Stefan Dirsch changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium Status|NEW |ASSIGNED AssignedTo|bnc-team-xorg-bugs@forge.pr |sndirsch@novell.com |ovo.novell.com | --- Comment #1 from Stefan Dirsch 2010-03-07 15:06:33 UTC --- Maybe this can be reproduced. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

18 Mar 18 Mar

06:50

New subject: [Bug 586112] Sax2 fails with buffer overflow message

http://bugzilla.novell.com/show_bug.cgi?id=586112 http://bugzilla.novell.com/show_bug.cgi?id=586112#c2 --- Comment #2 from Stefan Dirsch 2010-03-18 06:50:17 UTC --- Looks like this happens in sysp (part of sax2). # sudo sysp -s xstuff *** buffer overflow detected ***: sysp terminated ======= Backtrace: ========= /lib64/libc.so.6(__fortify_fail+0x37)[0x7fdebafe5a37] /lib64/libc.so.6(+0xe5850)[0x7fdebafe3850] /lib64/libc.so.6(+0xe4e5b)[0x7fdebafe2e5b] /lib64/libc.so.6(__snprintf_chk+0x7a)[0x7fdebafe2d2a] sysp[0x4505ed] sysp[0x43d09c] sysp[0x40c96c] sysp[0x40d170] /lib64/libc.so.6(__libc_start_main+0xfd)[0x7fdebaf1cbdd] sysp[0x404b69] ======= Memory map: ======== [...] Maybe this is related to the runtime malloc check we've now enabled by default. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

25 Mar 25 Mar

01:48

New subject: [Bug 586112] Sax2 fails with buffer overflow message

http://bugzilla.novell.com/show_bug.cgi?id=586112 http://bugzilla.novell.com/show_bug.cgi?id=586112#c3 --- Comment #3 from Stefan Dirsch 2010-03-25 01:48:21 UTC --- Buffer overflow appears to happen here: sysp/lib/hw/monitor.c:MonitorGetData() 174 snprintf(display->ddc, strlen(display->ddc) - 1, "%s%04x", vend_id2str(hd->vendor.id),ID_VALUE(hd->device.id) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

27 Mar 27 Mar

12:38

New subject: [Bug 586112] Sax2 fails with buffer overflow message

http://bugzilla.novell.com/show_bug.cgi?id=586112 http://bugzilla.novell.com/show_bug.cgi?id=586112#c4 Stefan Dirsch changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #4 from Stefan Dirsch 2010-03-27 12:38:07 UTC --- Worked around for now: sax2.changes: ------------------------------------------------------------------- Sat Mar 27 13:06:39 CET 2010 - sndirsch@suse.de - switch to gcc 4.3 for now to fix buffer overflows in sysp (bnc #586112) 35894 State:new By:sndirsch When:2010-03-27T13:36:20 submit: X11:Utilities/sax2 -> openSUSE:Factory Descr: 'latest translation fixes; switch to gcc 4.3 for now to fix buffer overflows in sysp (bnc #586112)' If anybody would like to fix it for real, please go ahead! -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

16:21

New subject: [Bug 586112] Sax2 fails with buffer overflow message

http://bugzilla.novell.com/show_bug.cgi?id=586112 http://bugzilla.novell.com/show_bug.cgi?id=586112#c5 Stefan Dirsch changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lee_matheson@hotmail.com --- Comment #5 from Stefan Dirsch 2010-03-27 16:21:26 UTC --- *** Bug 591660 has been marked as a duplicate of this bug. *** http://bugzilla.novell.com/show_bug.cgi?id=591660 -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

5 Apr 5 Apr

22:53

New subject: [Bug 586112] Sax2 fails with buffer overflow message

http://bugzilla.novell.com/show_bug.cgi?id=586112 http://bugzilla.novell.com/show_bug.cgi?id=586112#c6 Ruediger Oertel changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED CC| |ro@novell.com Resolution|FIXED | --- Comment #6 from Ruediger Oertel 2010-04-05 22:53:30 UTC --- hey, funny code: sprintf(display->ddc,"%c",'\0'); snprintf(display->ddc, strlen(display->ddc) - 1, "%s%04x", vend_id2str(hd->vendor.id),ID_VALUE(hd->device.id) ); toUpper (display->ddc); okay, first we write a 0 byte to display->ddc then we take the strlen of display->ddc, which is 0 so we try to write "-1" bytes to display->ddc from the vendor-id and a hexcode from the device id. what was this code really intended to do ? let's try this: snprintf(display->ddc, sizeof(display->ddc) - 1, "%s%04x", vend_id2str(hd->vendor.id),ID_VALUE(hd->device.id) ); // make sure its null terminated sprintf((display->ddc)+strlen(display->ddc),"%c",'\0'); toUpper (display->ddc); -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

6 Apr 6 Apr

00:18

New subject: [Bug 586112] Sax2 fails with buffer overflow message

http://bugzilla.novell.com/show_bug.cgi?id=586112 http://bugzilla.novell.com/show_bug.cgi?id=586112#c7 --- Comment #7 from Ruediger Oertel 2010-04-06 00:18:55 UTC --- but I don't get too much further there since libxf86config is broken (mail sent to xorg-devel) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

01:04

New subject: [Bug 586112] Sax2 fails with buffer overflow message / Build fails with undefined symbol: xf86CheckBoolOption

http://bugzilla.novell.com/show_bug.cgi?id=586112 http://bugzilla.novell.com/show_bug.cgi?id=586112#c Stefan Dirsch changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |ASSIGNED Summary|Sax2 fails with buffer |Sax2 fails with buffer |overflow message |overflow message / Build | |fails with undefined | |symbol: xf86CheckBoolOption -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

01:11

New subject: [Bug 586112] Sax2 fails with buffer overflow message / Build fails with undefined symbol: xf86CheckBoolOption

http://bugzilla.novell.com/show_bug.cgi?id=586112 http://bugzilla.novell.com/show_bug.cgi?id=586112#c8 --- Comment #8 from Stefan Dirsch 2010-04-06 01:11:14 UTC --- (In reply to comment #7)

...

but I don't get too much further there since libxf86config is broken (mail sent to xorg-devel)

http://lists.x.org/archives/xorg-devel/2010-April/006869.html -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

09:46

New subject: [Bug 586112] Sax2 fails with buffer overflow message / Build fails with undefined symbol: xf86CheckBoolOption

http://bugzilla.novell.com/show_bug.cgi?id=586112 http://bugzilla.novell.com/show_bug.cgi?id=586112#c9 --- Comment #9 from Ruediger Oertel 2010-04-06 09:45:59 UTC --- argh, comment 6 is nonsense as well ... sprintf((display->ddc)+strlen(display->ddc),"%c",'\0'); strlen would only work if already null-terminated ... -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

10:14

New subject: [Bug 586112] Sax2 fails with buffer overflow message / Build fails with undefined symbol: xf86CheckBoolOption

http://bugzilla.novell.com/show_bug.cgi?id=586112 http://bugzilla.novell.com/show_bug.cgi?id=586112#c10 --- Comment #10 from Ruediger Oertel 2010-04-06 10:14:05 UTC --- currently using: --- sysp/lib/hw/monitor.c +++ sysp/lib/hw/monitor.c @@ -58,6 +58,7 @@ unsigned portID = 0; unsigned i = 0; char buf[256] = ""; + int id_length = 0; //int vt_orig = getvt(); //chvt (1); @@ -170,10 +171,16 @@ //=================================== // Save Monitor DDC ID ... //----------------------------------- - sprintf(display->ddc,"%c",'\0'); - snprintf(display->ddc, strlen(display->ddc) - 1, "%s%04x", + snprintf(display->ddc, sizeof(display->ddc) - 1, "%s%04x", vend_id2str(hd->vendor.id),ID_VALUE(hd->device.id) ); + + // make sure its null terminated + id_length = strlen(vend_id2str(hd->vendor.id)) + 4 + 1; + if (id_length > (sizeof(display->ddc) - 1)) + id_length = sizeof(display->ddc) - 1; + sprintf((display->ddc)+id_length,"%c",'\0'); + toUpper (display->ddc); //=================================== // Save Monitor DisplaySize + Res -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

10:50

New subject: [Bug 586112] Sax2 fails with buffer overflow message / Build fails with undefined symbol: xf86CheckBoolOption

http://bugzilla.novell.com/show_bug.cgi?id=586112 http://bugzilla.novell.com/show_bug.cgi?id=586112#c11 --- Comment #11 from Stefan Dirsch 2010-04-06 10:50:05 UTC --- Rudi, snprintf writes the string *including* the trailing trailing null byte ('\0'). What about ? - sprintf(display->ddc,"%c",'\0'); - snprintf(display->ddc, strlen(display->ddc) - 1, "%s%04x", - vend_id2str(hd->vendor.id),ID_VALUE(hd->device.id) - ); + snprintf(display->ddc, sizeof(display->ddc), "%s%04x", + vend_id2str(hd->vendor.id),ID_VALUE(hd->device.id) + ); -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

17:12

New subject: [Bug 586112] Sax2 fails with buffer overflow message / Build fails with undefined symbol: xf86CheckBoolOption

http://bugzilla.novell.com/show_bug.cgi?id=586112 http://bugzilla.novell.com/show_bug.cgi?id=586112#c12 --- Comment #12 from Ruediger Oertel 2010-04-06 17:12:54 UTC --- yep, forgot that snprintf guarantees null-termination. looks good. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

20:19

New subject: [Bug 586112] Sax2 fails with buffer overflow message / Build fails with undefined symbol: xf86CheckBoolOption

http://bugzilla.novell.com/show_bug.cgi?id=586112 http://bugzilla.novell.com/show_bug.cgi?id=586112#c Stefan Dirsch changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P3 - Medium |P2 - High -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

bugzilla_noreply＠novell.com

7 Apr 7 Apr

10:59

New subject: [Bug 586112] Sax2 fails with buffer overflow message / Build fails with undefined symbol: xf86CheckBoolOption

http://bugzilla.novell.com/show_bug.cgi?id=586112 http://bugzilla.novell.com/show_bug.cgi?id=586112#c13 Stefan Dirsch changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #13 from Stefan Dirsch 2010-04-07 10:59:35 UTC --- (In reply to comment #7)

...

but I don't get too much further there since libxf86config is broken (mail sent to xorg-devel)

Fixed/workarounded in xorg-x11-server now: ------------------------------------------------------------------- Tue Apr 6 20:48:21 CEST 2010 - ro@suse.de - fix libxf86config (resolve references) (In reply to comment #12)

...

yep, forgot that snprintf guarantees null-termination. looks good.

Fixed in sax2 now. ------------------------------------------------------------------- Wed Apr 7 00:02:38 CEST 2010 - sndirsch@suse.de - likely fixed buffer overflow in sysp (bnc #586112) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

5143

Age (days ago)

5174

Last active (days ago)

List overview

Download

15 comments

1 participants

participants (1)

bugzilla_noreply＠novell.com

[Bug 586112] New: Sax2 fails with buffer overflow message

tags

participants (1)